oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: libesmtp does not check NULL bytes in commonName

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 09 Mar 2010 19:00:57 +0100
Hi Steve,

Kees Cook wrote:

Hello,

I just noticed that libesmtp does not appear to handle NULL-byte CNs, as
seen with the original browser-based issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408

Related to this are failures in wildcard handling:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
and CN-specificity:
 https://bugzilla.redhat.com/show_bug.cgi?id=510202

Though it may be a non-issue if TLS doesn't function at all:
 http://bugs.gentoo.org/213066


  any progress while assigning CVE ids for these issues?

  From what I can tell, two should be enough:
  a, libESMTP doesn't properly handle NULL character in Common Name

    References:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
      http://ioactive.com/pdfs/PKILayerCake.pdf (issue 2c)

  b, libESMTP's match_component() accepts two strings as equal
     if they start equal but don't have equal length => cert forgery

    References:
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

  Kees, please correct me, if I omitted something.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team



-Kees
Previous By Date Next
Previous By Thread Next

Current thread: